ICO call for views on updating the data 1 CO 
© 


sh aring CO de of p ractice Information Commissioner's Office 


Data sharing can bring important benefits to organisations, citizens and 
consumers, making our lives easier and helping to deliver efficient 
services. It is important, however, that organisations who share personal 
data have high data protection standards, sharing data in ways that are 
fair, transparent and accountable. We also want controllers to be 
confident when dealing with data sharing matters so individuals can be 
confident their data has been shared securely and responsibly. 


As required by the Data Protection 2018, we are working on updating our 
data sharing code of practice, which was published in 2011. The updated 
code will explain and advise on changes to data protection legislation 
where these changes are relevant to data sharing. It will address many 
aspects of the new legislation including transparency, lawful bases for 
processing, the new accountability principle and the requirement to record 
processing activities. 


The updated data sharing code of practice will continue to provide 
practical guidance in relation to data sharing and will promote good 
practice in the sharing of personal data. In the first instance we will 
address the impact of the changes in data protection legislation on data 
sharing and will then move on to developing further case studies. Our 
intention is that, as well as legislative changes, the code will also deal 
with technical and other developments that have had an impact on data 
sharing since the publication of the last code in 2011. 


Before preparation of the code the Information Commissioner must 
consult with the Secretary of State. She is also seeking input from trade 
associations, data subjects and those representing the interests of data 
subjects. This call for views is the first stage of the consultation process. 
We will use the responses we receive to inform our work in developing the 
updated code. 


You can email your response to 


© 
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Information Commissioner's Office 


Or print and post to: 


Data Sharing Code Call for Evidence 
Central Government Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the call for evidence, please email 
the Central Government team. 


Please send us your views by 10 September 2018. 


Privacy statement 


For this call for evidence we will publish responses received from 
organisations but will remove any personal data before publication. We 
will not publish responses from individuals. For more information about 
what we do with personal data please see our privacy notice. 


Questions 


Qi We intend to revise the code to address the impact of changes in 
data protection legislation, where these changes are relevant to 
data sharing. What changes to the data protection legislation do 
you think we should focus on when updating the code? 


he additional obligations on data processors under the new legislation. 


Q2 
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Apart from recent changes to data protection legislation, are there 
other developments that are having an impact on your 
organisation’s data sharing practice that you would like us to 
address in the updated code? 


Yes 


No 


If yes (please specify) 


Does the 2011 data sharing code of practice strike the right 
balance between recognising the benefits of sharing personal data 
and the need to protect it? Please give details. 


Yes 


No 
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Q5 If yes in what ways does it achieve this? 


Q6 If no, in what ways does it fail to strike the right balance? 


When it comes to data sharing, there is an inherent risk aversion in both 
private sector organisations and public bodies that, in general, prevents 
the proactive sharing of information. With the introduction of the GDPR 
and Data Protection Act 2018, there has been a huge increase in 
awareness of individual’s rights when it comes to the handling of personal 
data, and understanding how it is being processed. Whilst this is a 
manifestly positive step, this increase in awareness has had a knock on 
effect, consciously or otherwise, on the appetite of businesses and public 
bodies to share information, even where the justifications for doing so are 
well grounded. Whilst the 2011 Code is useful, the updated Code has the 
opportunity to rebuff suggestions that data protection legislation prohibits 
data sharing, and to demonstrate how, where there is sound justification, 
data sharing is both necessary and beneficial. This is an opportunity to 
rebalance the contradiction between perception and reality on both the 
legal bases and practical benefits for data sharing. 


The revised data sharing Code should emphasise the benefits of 
appropriate data sharing as well as the risks which need to be mitigated 
when data is shared. For example, the June 2013 Information Governance 
Review by Dame Fiona Caldicott noted that “When it comes to sharing 
information, a culture of anxiety permeates the health and social care 
sector”. The National Police Chiefs’ Council (NPCC) Policing Vision 2025 
has identified a need to “/work] with the Government to ensure projects 
are not undermined by differing boundaries, multiple service providers 
and incompatible data sharing policies” (§4.2). These statements accord 
with the results of techUK’s annual Civil Servant Survey, which 
highlighted in 2017 that almost all civil servants believe sharing more 
information would benefit the services they provide to citizens (just 6% 
indicated to the contrary). We are concerned that the publicity which has 


accompanied the GDPR may contribute to civil servants’ anxiety about 
data sharing. While it is positive that data protection requirements are 
receiving considerably more public attention, there have been some 
inaccuracies in the reporting of new GDPR requirements which may create 
misunderstanding of when data can and cannot be shared. Accordingly, 


we think it is important that the new Code should encourage appropriate 
data sharing (with illustrative examples of situations where data sharing 
has led to positive outcomes) while also explaining the limits of such 
sharing. 


Q7 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are covered in too much detail in the 
2011 code? 


here is an appropriate level of information relating to routine data 

haring. However, further information about data sharing within 
organisations, particularly large organisations that operate in different 
ountries, would be beneficial. A case study supporting this would also be 
useful. 


Q8 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are not covered in enough detail in 
the 2011 code? 


Further information on ad hoc data sharing requests and arrangements 


ould be beneficial. Case studies demonstrating this type of data sharing 
arrangement would be useful. 
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Q9 Is the 2011 code relevant to the types of data sharing your 
organisation is involved in? If not, which additional areas should 
we cover? 


es, it is relevant. 


Q10 Please provide details of any case studies or data sharing scenarios 
that you would like to see included in the updated code? 


he Code does not provide sufficient examples of data sharing 
arrangements between private sector entities and public bodies. Ideally, 
wo scenarios would be included, one where it is the private sector entity 
Sharing their data with a public body, and a second where the public body 
is sharing their data with a private sector organisation. 


A case study about data sharing within an organisation would also be 
beneficial. 


Finally, it would be beneficial to include examples of data sharing 
initiatives that have succeeded, and resulted in public benefit. Similarly, it 

ould be helpful to have examples of data sharing initiatives that have 
been unsuccessful, or have been found to be unlawful. This would prevent 
he same arrangements being replicated unknowingly elsewhere. 
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Q11 Is there anything the 2011 code does not cover that you think it 
should? Please provide details. 


With regard to express obligations, express powers or implied powers 
from which public bodies derive their powers to share data, we have 
found that there is: 


(i) a lack of awareness that these powers exist; and 


(ii) a lack of awareness as to where these powers can be found. 


Whilst we acknowledge that these powers are referred to in the 2011 
Code, in our opinion, specific examples for each power would be 
beneficial, preferably supported by the relevant legislation. In particular, a 


variety of examples for implied powers would be beneficial, as these may 
not be immediately apparent to individuals who do not regularly deal with 
data sharing arrangements. 


Additionally, it would be beneficial for the Code to explain what public 
sector bodies can do if there is no power to share data, but there is a 
good reason for doing so. It would be useful for the Code to outline what 
public bodies can do in this scenario, e.g. anonymising the data to enable 
sharing, or escalating to the relevant data protection officer and arranging 
an ad hoc data sharing agreement for the specific sharing. Providing this 
additional information will hopefully empower public bodies to pursue data 
sharing arrangements which could provide public benefit, even if there is 
no existing power to implement them. 


Q12 In what other ways do you think the 2011 code could be 
improved? 


None in addition to those already mentioned in this response. 
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About you: 


WJ 


Are you answering these questions as? 
A public sector worker 

A private sector worker 

A third or voluntary sector worker 

A member of the public 

A representative of a trade association 
A data subject 

An ICO employee 
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Other 


Q14 If other please specify: 


his submission is made on behalf of techUK & Ark Data Centres Limited. 
echUK and Ark Data Centres Limited are developing a working group on 


public sector data sharing, and have commissioned of 
Blackstone Chambers to conduct research on the area. 


Q15 Please provide more information about the type of organisation 
you work for, ie a bank, a housing association, a school. 


Ark Data Centres Limited - private limited company 


echUK - trade association 


Q16 We may want to contact you about some of the points you have 
raised. If you are happy for us to do this please provide your email 
address: 


Thank you for taking the time to share your views and experience. 


